wireguard client module for thinkpad

hosts/default.nix

@@ -150,6 +150,9 @@
         extraHmModules = [
           inputs.ccrEmacs.hmModules.default
         ];
+        secrets = {
+          "thinkpad-wireguard-private-key" = {};
+        };
       };
       rock5b = {
         system = "aarch64-linux";

hosts/thinkpad/default.nix

@@ -11,6 +11,7 @@
       ./hardware-configuration.nix
     ]
     ++ fleetModules [
+      "wireguard-client"
       "adb"
       "audio"
       "battery"

modules/wireguard-client/default.nix

@@ -0,0 +1,32 @@
+{config, ...}: {
+  networking.firewall = {
+    allowedUDPPorts = [51820]; # Clients and peers can use the same port, see listenport
+  };
+  # Enable WireGuard
+  networking.wireguard.interfaces = {
+    # "wg0" is the network interface name. You can name the interface arbitrarily.
+    wg0 = {
+      ips = ["10.100.0.2/32"];
+      listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
+
+      privateKeyFile = config.age.secrets."${config.networking.hostName}-wireguard-private-key".path;
+
+      peers = [
+        {
+          # Public key of the server (not a file path).
+          publicKey = "O9V2PI7+vZm7gGn3f9SaTsJbVe9urf/jZkdXFz/mjVU=";
+
+          # Forward all the traffic via VPN.
+          # allowedIPs = [ "0.0.0.0/0" ];
+          # Or forward only particular subnets
+          allowedIPs = ["10.100.0.1"];
+
+          # Set this to the server IP and port.
+          endpoint = "mothership.aciceri.dev:51820";
+
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+}

secrets/default.nix

@@ -2,6 +2,7 @@ let
   users.ccr = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5cEUx25pnZiH3eBrE2xNbJ92gJiKSznDUNRzcEL4ti6FlJm+75p4q0hgdqHwStR8+uCWBL6viVFCGutOVMFE5MX1Oc3A8fJdR6H9Rrwvk/1UQzqzc9tWxw1qPLKz+fnPDomjOvNofghCWQRwX3Xf1HnIqvRwELpNbR9i+/cHkDGzLJxkstbt4gol8ywMPkw02QdKk8s5MEd1vawxc+7Chs0JPW57RDqDYFErYys52JLeAViCBB9bofF+KT42LuRXKSjWlvCV9kR5TL49vUeBgzMQWMh++WQdN4m9lpqFqYyc75I49/E0HGf8LChDSS+hvRnb5MbtnVGjEA4WDHyldmJCvUNob5CUo4FjoSPRi+S/J3Ads8D4JVwaJOJEVqmMKEhiQ0Hzk4hwe3eV/VumlZj4U/QjaCrqqi4TW/iP0gNRfzcfiM+G/z5R7w1NMUpTX7oilyKjMQmGnXB857D3SSptS7dwh5OiKhVmrQMRCduooUsj236abqLU28K//RnxhOgh8kDGgoUHApnTiMZNKhgLiR42lKrubNcW1tAAqoNyFLMwwXeMLjh0iP1b5y8ntfNPNIcGb7vcwpS24z/aIjW7rQ4J7x5EBphHGhys6ne+irdhOM8c7kFr+c8+Q2oU0YAtFuMYztAFOHm1e20X00Zvys2nuee+hT9F1NungAQ==";
   hosts = {
     test = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHc46mGCuaKLwNzK/abuedYQLw9h/Cp5MhVb7IHTGh0E root@test";
+    thinkpad = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZMyLFfuBeDfPLn8WL6JazYpYq3oVvCdD4ktyt915TL";
     mothership = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFlepPWHE9GvQIBcAQBQPd80oiePSPxGDnMdqpdEqx6I";
   };
 in {
@@ -9,4 +10,8 @@ in {
   "autistici-password.age".publicKeys = [users.ccr];
   "magit-forge-github-token.age".publicKeys = [users.ccr hosts.mothership];
   "git-workspace-tokens.age".publicKeys = [users.ccr hosts.test hosts.mothership];
+
+  # WireGuard
+
+  "thinkpad-wireguard-private-key.age".publicKeys = [hosts.thinkpad];
 }

secrets/thinkpad-wireguard-private-key.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 GVMLQg 8234gUExVmFvBd15Y8mDZMQN+JB0iF19Aco06QOF+WI
+pF4KkrffJ/JyihbqyzssHWQj4KTAT9FaO6d4C7W3fjQ
+-> C_|=?Ris-grease g3jg)xQT BnPMOr^ C3
+CTxz+ixS9zskTgznQf9x80hgX/maxeYS5GQloV9ARTs0g1q8sR4XWWcM28c7RKoM
+vxfC5QDCpmXaCiDG7s/xaTXF0GDSAyuFfcUCru0L0aOnz2ZGlWllKZ4
+--- n10P3gZZFs/X9zqMlV+jNgYd3nBdt0UJEqvB0GDDgRs
+0sàÇwÌÝN©hÚ:¾ØR<.6}?Šä!µ}<7D>ená	`5lÉLm¥²™ïsYÁð˜š<CB9C>ø~d0~Å–x‡{¼BAu<41>qüàíáȘÒž